Let’s chat
0330 043 0826 | [email protected]
InfoSec Governance Logo

Cyber Essentials: The five technical controls

Cyber Essentials: The five technical controls

The Cyber Essentials scheme which is ran by NCSC and IASME is made up of five key technical controls which must be applied to all devices and cloud-based systems which are in scope of the certification.

The five controls are:

Firewalls

Firewalls must be configured and the default passwords changed on all firewalls which are configured within the business. Additionally, every device in the scope of the assessment, both physical and virtual must have software firewalls configured and enabled if the Operating System supports it by default.

Firewalls which have administrative consoles must be restricted if exposed to the internet via multi-factor authentication and/or IP allow lists.

Secure Configuration

Secure configuration of all devices, including cloud-based systems must be configured with security in mind. This means that you must change any default passwords, disable any unused or unnecessary user account and disable or remove any unnecessary applications or services.

The auto-run functionality must be disabled, so that devices plugged into machines cannot auto run without being prompted first.

Users must be prompted to authenticate to devices and/or network services.

Device locking must be in place so that if a device is left unattended, a user must re-authenticate to log back in.

Security update management

All devices must be updated if there are security updates released which are either high or critical or have a CVSS v3 score of 7.0 or above.   If there is a security update released that does not have a description of what has been fixed, these security updates must also be applied.

User access control

Users must run as a standard ow level user for their day-to-day operations and must have separate accounts for administrative users. Users should only have access to what they need, thereby using least privileged access.

Any accounts which are no longer required should be deleted or disabled, so they can no longer be used.

User accounts must authenticate to get access to business data or services.

Malware protection

Anti-malware software must be applied on all devices which are in scope, including physical and virtual devices. Antimalware software must be configured to be updated daily and protect against malicious websites.

For mobile devices, devices must not be rooted or jailbroken and must be configured to be update their applications from an approved list or application store.

Achieving Cyber Essentials

If you’d like to achieve Cyber Essentials, get in touch with us today to see how we can help your business.